Hi Everyone,
Our setup is a universal forwarder --> heavy forwarder --> indexer. I am looking to modify a universal forwarder config so I can search on static metadata in Splunk Web. For example, I'd like to be able to search for an `app_name`, `build_version`, or `environment_name` that would be set when the instance comes up.
I have seen various posts on this site about accomplishing that and most of them come back to the link below. This seems like the correct path, but many of the keys are out of date. I have finally settled on the structure below for my files, but I am not seeing anything in Splunk Web. Is this outcome just not possible with Splunk, or am I missing something?
props.conf:
[host::i-e420f63c]
TRANSFORMS-test = MYTRANSFORM
transforms.conf:
[MYTRANSFORM]
REGEX = .*?
SOURCE_KEY = _raw
FORMAT = instance::app_name
https://answers.splunk.com/answers/39405/adding-static-field-value-using-props-transforms-based-on-source.html?sort=newest
↧
